[Pkg-mediawiki-commits] r241 - in mediawiki/squeeze/debian: . patches

Sun Feb 6 15:13:18 UTC 2011

Author: jmw
Date: 2011-02-06 15:13:17 +0000 (Sun, 06 Feb 2011)
New Revision: 241

Added:
   mediawiki/squeeze/debian/patches/CVE-2011-0047.patch
Modified:
   mediawiki/squeeze/debian/changelog
   mediawiki/squeeze/debian/patches/series
Log:
Stable upload to fix CVE-2011-0047

Modified: mediawiki/squeeze/debian/changelog
===================================================================

--- mediawiki/squeeze/debian/changelog	2011-02-06 15:10:28 UTC (rev 240)
+++ mediawiki/squeeze/debian/changelog	2011-02-06 15:13:17 UTC (rev 241)
@@ -1,3 +1,10 @@
+mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
+
+  * CVE-2011-0047: Protect against a CSS injection vulnerability
+    (closes: #611787)
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk>  Sun, 06 Feb 2011 13:45:39 +0000
+
 mediawiki (1:1.15.5-2) testing-security; urgency=high
 
   * CVE-2011-0003: Protect against clickjacking by sending the

Added: mediawiki/squeeze/debian/patches/CVE-2011-0047.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-0047.patch	                        (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-0047.patch	2011-02-06 15:13:17 UTC (rev 241)
@@ -0,0 +1,58 @@
+Description: prevent CSS injection vulnerability
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/81333
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093
+Author: Tim Starling, Roan
+Last-Update: 2011-02-06
+
+--- mediawiki-1.15.5.orig/RELEASE-NOTES
++++ mediawiki-1.15.5/RELEASE-NOTES
+@@ -3,6 +3,9 @@
+ Security reminder: MediaWiki does not require PHP's register_globals
+ setting since version 1.2.0. If you have it on, turn it *off* if you can.
+ 
++== Changes since 1.15.5 ==
++* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
++
+ == MediaWiki 1.15.5 ==
+ 
+ 2010-07-28
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -659,6 +659,13 @@
+ 		// Remove any comments; IE gets token splitting wrong
+ 		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+ 
++		// Remove anything after a comment-start token, to guard against
++		// incorrect client implementations.
++		$commentPos = strpos( $value, '/*' );
++		if ( $commentPos !== false ) {
++			$value = substr( $value, 0, $commentPos );
++		}
++
+ 		// Decode escape sequences and line continuation
+ 		// See the grammar in the CSS 2 spec, appendix D.
+ 		static $decodeRegex, $reencodeTable;
+--- mediawiki-1.15.5.orig/includes/StringUtils.php
++++ mediawiki-1.15.5/includes/StringUtils.php
+@@ -77,16 +77,20 @@
+ 			}
+ 
+ 			if ( $tokenType == 'start' ) {
+-				$inputPos = $tokenOffset + $tokenLength;
+ 				# Only move the start position if we haven't already found a start
+ 				# This means that START START END matches outer pair
+ 				if ( !$foundStart ) {
+ 					# Found start
++					$inputPos = $tokenOffset + $tokenLength;
+ 					# Write out the non-matching section
+ 					$output .= substr( $subject, $outputPos, $tokenOffset - $outputPos );
+ 					$outputPos = $tokenOffset;
+ 					$contentPos = $inputPos;
+ 					$foundStart = true;
++				} else {
++					# Move the input position past the *first character* of START,
++					# to protect against missing END when it overlaps with START
++					$inputPos = $tokenOffset + 1;
+ 				}
+ 			} elseif ( $tokenType == 'end' ) {
+ 				if ( $foundStart ) {

Modified: mediawiki/squeeze/debian/patches/series
===================================================================
--- mediawiki/squeeze/debian/patches/series	2011-02-06 15:10:28 UTC (rev 240)
+++ mediawiki/squeeze/debian/patches/series	2011-02-06 15:13:17 UTC (rev 241)
@@ -6,3 +6,4 @@
 backup_documentation.patch
 suppress_warnings.patch
 CVE-2011-0003.patch
+CVE-2011-0047.patch


